Threat Actors Exploit LANSCOPE Endpoint Manager Zero-Day Vulnerability to Steal Confidential Data

In mid-2025, Secureworks Counter Threat Unit (CTU) researchers uncovered a sophisticated cyber campaign where Chinese state-sponsored threat actors from the BRONZE BUTLER group exploited a critical zero-day vulnerability in Motex LANSCOPE Endpoint Manager to gain unauthorized access to corporate networks and extract sensitive data.

The discovery marks another chapter in a long-running pattern of exploitation by this advanced threat group, which has maintained a significant presence in the cybersecurity threat landscape for over a decade.

BRONZE BUTLER, also known as Tick, has been operating since 2010 and maintains a specific focus on targeting Japanese organizations and government entities.

The group’s operational history reveals a consistent strategy of identifying and exploiting vulnerabilities in widely-deployed Japanese security and management software.

Notably, in 2016, BRONZE BUTLER successfully deployed a zero-day exploit against another Japanese endpoint management solution, SKYSEA Client View, demonstrating the group’s deep knowledge of target environments and sustained focus on Japanese infrastructure. This new campaign against LANSCOPE Endpoint Manager represents a continuation of this troubling trend.

The Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) officially disclosed the LANSCOPE vulnerability on October 22, 2025, with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) adding the exploit to its Known Exploited Vulnerabilities Catalog the same day.

This rapid response from international cybersecurity authorities highlights the severity of the threat and the immediate risk posed to organizations running vulnerable LANSCOPE systems.

LANSCOPE Endpoint Manager Zero-Day Vulnerability

The vulnerability exploited in this campaign, designated CVE-2025-61932, represents a critical security flaw that allows remote attackers to execute arbitrary commands with SYSTEM-level privileges on affected systems.

This highest level of access provides threat actors with complete control over compromised hosts, enabling them to install backdoors, modify system configurations, and move laterally throughout enterprise networks without detection.

To complicate detection and analysis, threat actors deployed OAED Loader malware alongside these backdoors, injecting malicious payloads into legitimate executables to obscure execution flows.

CTU analysis revealed that while the number of internet-facing LANSCOPE devices vulnerable to this exploit is relatively limited, the impact remains significant.

Attackers leveraging this vulnerability within already-compromised networks could conduct privilege escalation attacks and lateral movement operations, potentially compromising an organization’s entire infrastructure.

The threat actors subsequently compressed stolen data using 7-Zip before exfiltrating information through cloud storage services including Piping Server and LimeWire, accessed directly through web browsers during remote sessions.

The combination of remote execution capabilities and SYSTEM-level privileges creates an ideal scenario for sophisticated threat actors seeking to establish persistent access and maintain long-term presence within target networks.

Advanced Malware Infrastructure

The technical sophistication of this BRONZE BUTLER campaign extends far beyond the initial exploitation vector. CTU researchers confirmed that attackers deployed Gokcpdoor malware, a custom backdoor previously documented in 2023 threat intelligence reports.

The 2025 variant of Gokcpdoor represents a significant evolution, discontinuing legacy KCP protocol support in favor of multiplexing communications using third-party libraries for command and control traffic.

This modernization suggests BRONZE BUTLER maintains active development teams continuously improving their malware arsenal.

The group deployed two distinct Gokcpdoor variants with different operational purposes. The server variant functions as a listening endpoint, accepting incoming client connections on specified ports including 38000 and 38002, while providing remote access capabilities.

The client variant initiates connections to hardcoded C2 servers, establishing communication tunnels that function as persistent backdoors. In certain network segments, BRONZE BUTLER substituted Gokcpdoor with the Havoc C2 framework, demonstrating operational flexibility and access to multiple offensive tools.

Once establishing their initial foothold, BRONZE BUTLER employed legitimate tools including goddi for Active Directory reconnaissance combined with remote desktop applications to facilitate lateral movement.

Organizations operating LANSCOPE Endpoint Manager deployments should prioritize immediate patching of vulnerable systems and conduct comprehensive reviews of internet-facing LANSCOPE servers to determine legitimate business requirements for public exposure.

Detections and indicators

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.